Because the Health Insurance Portability and Accountability Act (“HIPAA”) does not provide a private right of action, plaintiff’s attorneys have sought a means to link HIPAA violations to other state or federal legal frameworks which do provide direct recourse for private individuals. A recent ruling by the Connecticut Supreme Court may open new avenues of this type. In Byrne v. Avery Center for Obstetrics and Gynecology, PC, the Court reached two key conclusions:
- HIPAA does not preempt state common law causes of action for negligence and
- the HIPAA regulations may be used to establish a standard of care for common law negligence causes of action.
The case arose when the plaintiff asked her physician not to share her medical records with a former significant other. Contrary to the plaintiff’s request, the physician provided her medical records to the former significant other in response to a subpoena without notifying the plaintiff or contesting the subpoena, in violation of the HIPAA Privacy Rule.
It remains to be seen whether the Connecticut courts conclude that the alleged unauthorized disclosures of health information resulted in cognizable harm. However, the ruling takes a significant step toward creating a method for individuals to hold health care providers, insurers, and other organizations that handle health information liable for uses or disclosures that occur in violation of HIPAA.
While the Byrne decision is not binding outside the State of Connecticut, the reasoning may prove compelling to courts in other states. For example, courts are generally reluctant to infer federal preemption in the absence of plain statutory language to that effect and HIPAA contains no clear preemption of common law negligence claims. More uncertain is the question of whether other states will permit the use of HIPAA as a standard of care for negligence claims. This may be highly dependent upon local precedent, but it is foreseeable that courts in a number of states may reach conclusions similar to the Connecticut Supreme Court.
Even if the Byrne reasoning is adopted, plaintiffs may still face a number of challenges in court. Plaintiffs may still face the most common hurdle to private breach litigation – demonstrating harm resulting directly from an unauthorized disclosure. For example, in Remijas v. The Neiman Marcus Group, LLC, the Northern District of Illinois recently concluded that the plaintiffs failed to demonstrate sufficiently concrete harm to bring a claim. Yet there may be an important distinction for the types of sensitive health information protected by HIPAA.
Most cases that have been dismissed for lack of concrete harm have involved financial information or government-issued identifiers (e.g., Social Security Numbers). These types of information may be used to commit identity theft and fraud resulting in financial harm. However, these potential harms require additional steps on the part of criminals to have any effect on individuals. In addition, non-legal remedies may ameliorate harms to individuals. For instance, the court in Remijas noted that fraudulent charges can be reimbursed to consumers. On the other hand, the content of health information can be highly sensitive, resulting in financial, reputational, and/or emotional harm as an immediate consequence of disclosure. This is one of the reasons that many states expressly prohibit unauthorized disclosures of medical records with little, if any, regard to how that information is used or to whom it is disclosed. Therefore, plaintiffs may find greater success in demonstrating harm from unauthorized disclosures of HIPAA protected health information.
If HIPAA violations become a predicate to common law private rights of action, the impact could apply across a wide range of the economy. HIPAA covered entities, such as health care providers and insurers, would face heightened legal and financial risks. It should also be noted that the HITECH Act imposes much of the HIPAA statute and regulations (including all requirements of the HIPAA Security Rule) directly upon business associates. Hence, the establishment of a common law private right of action could also present significant risk to entities that regularly handle or process health information on behalf of covered entities, including information technology consultants and service providers, accounting firms, and law firms.
It should be noted that establishment of HIPAA as a standard of care could be somewhat beneficial to HIPAA covered entities and business associates. The HIPAA regulations set out clear guidelines for appropriate uses, disclosures, and safeguards for protected health information. This may mitigate the concerns that some have expressed about the relative scarcity of such guidance for protecting other types of personal information (such as in the current FTC enforcement action against Wyndham Hotels). Nonetheless, HIPAA covered entities and business associates should carefully monitor the Byrne case as it progresses as well as developments in other states and take steps to ensure that their HIPAA compliance programs are as robust as possible.